Florian Weimer's patch to remove the unwanted and unused support for

RSA_EXPORT from the GnuTLS code.

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 4e2c709e688073018f70bdeee6b29d3ada514a34..2355e01fc9056d728861e662b6d7a290c62bf612 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.407 2006/10/16 10:37:19 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.408 2006/10/16 10:58:39 ph10 Exp $
 
 Change log file for Exim from version 4.21
 -------------------------------------------
@@ -134,6 +134,14 @@ PH/19 The functions {pwcheck,saslauthd}_verify_password() are always called
       but it didn't always do it. This confused somebody who was copying the
       code for some other use. I have removed all the tests.
 
+PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a
+      feature that was used to support insecure browsers during the U.S. crypto
+      embargo. It requires special client support, and Exim is probably the
+      only MTA that supported it -- and would never use it because real RSA is
+      always available. This code has been removed, because it had the bad
+      effect of slowing Exim down by computing (never used) parameters for the
+      RSA_EXPORT functionality.
+
 
 Exim version 4.63
 -----------------

diff --git a/src/ACKNOWLEDGMENTS b/src/ACKNOWLEDGMENTS
index d5c19bce67d4696fc6a672df15d8274783e6396c..049e3096982727637d88b27c99e67c289de78c51 100644 (file)
--- a/src/ACKNOWLEDGMENTS
+++ b/src/ACKNOWLEDGMENTS
@@ -1,4 +1,4 @@
-$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.57 2006/10/03 15:11:22 ph10 Exp $
+$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.58 2006/10/16 10:58:40 ph10 Exp $
 
 EXIM ACKNOWLEDGEMENTS
 
@@ -20,7 +20,7 @@ relatively small patches.
 Philip Hazel
 
 Lists created: 20 November 2002
-Last updated:  03 October 2006
+Last updated:  16 October 2006
 
 
 THE OLD LIST
@@ -252,6 +252,8 @@ Matthias Waffenschmidt    Patch for build-time Perl bug in configure script
 Norihisa Washitake        Suggested patch for RFC 2047 header decoding
 Chris Webb                Patch for support of an SPF lookup method.
 Florian Weimer            Patch for minor format string issue
+                          Noticing the unwanted (and time-wasting) GnuTLS
+                            RSA_EXPORT code, and supplying a patch to remove it
 Joachim Wieland           Patches for PostgreSQL socket support and other
                             PostgreSQL functionality
                           Patch for hosts_avoid_esmtp

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 31f226b4e3b1db024dc0cb7e98875f517c67e997..98aea4451ffe7aa1f04eb1e3c09173bbda93614d 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/tls-gnu.c,v 1.12 2006/02/14 14:12:07 ph10 Exp $ */
+/* $Cambridge: exim/src/src/tls-gnu.c,v 1.13 2006/10/16 10:58:40 ph10 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -23,7 +23,6 @@ functions from the GnuTLS library. */
 
 #define UNKNOWN_NAME "unknown"
 #define DH_BITS      768
-#define RSA_BITS     512
 #define PARAM_SIZE 2*1024
 
 
@@ -37,7 +36,6 @@ enum { INITIALIZED_NOT, INITIALIZED_SERVER, INITIALIZED_CLIENT };
 static BOOL initialized = INITIALIZED_NOT;
 static host_item *client_host;
 
-static gnutls_rsa_params rsa_params = NULL;
 static gnutls_dh_params dh_params = NULL;
 
 static gnutls_certificate_server_credentials x509_cred = NULL;
@@ -57,7 +55,6 @@ static const int kx_priority[16] = {
   GNUTLS_KX_RSA,
   GNUTLS_KX_DHE_DSS,
   GNUTLS_KX_DHE_RSA,
-  GNUTLS_KX_RSA_EXPORT,
   0 };
 
 static int default_cipher_priority[16] = {
@@ -262,9 +259,6 @@ uschar filename[200];
 
 /* Initialize the data structures for holding the parameters */
 
-ret = gnutls_rsa_params_init(&rsa_params);
-if (ret < 0) return tls_error(US"init rsa_params", host, ret);
-
 ret = gnutls_dh_params_init(&dh_params);
 if (ret < 0) return tls_error(US"init dh_params", host, ret);
 
@@ -298,20 +292,9 @@ if (fd >= 0)
     return tls_error(US"TLS cache read failed", host, 0);
   (void)close(fd);
 
-  ret = gnutls_rsa_params_import_pkcs1(rsa_params, &m, GNUTLS_X509_FMT_PEM);
-
-  if (ret < 0)
-    {
-    DEBUG(D_tls)
-      debug_printf("RSA params import failed: assume old-style cache file\n");
-    }
-  else
-    {
-    ret = gnutls_dh_params_import_pkcs3(dh_params, &m, GNUTLS_X509_FMT_PEM);
-    if (ret < 0)
-      return tls_error(US"DH params import", host, ret);
-    DEBUG(D_tls) debug_printf("read RSA and D-H parameters from file\n");
-    }
+  ret = gnutls_dh_params_import_pkcs3(dh_params, &m, GNUTLS_X509_FMT_PEM);
+  if (ret < 0) return tls_error(US"DH params import", host, ret);
+  DEBUG(D_tls) debug_printf("read RSA and D-H parameters from file\n");
 
   free(m.data);
   }
@@ -339,10 +322,6 @@ if (ret < 0)
   {
   uschar tempfilename[sizeof(filename) + 10];
 
-  DEBUG(D_tls) debug_printf("generating %d bit RSA key...\n", RSA_BITS);
-  ret = gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
-  if (ret < 0) return tls_error(US"RSA key generation", host, ret);
-
   DEBUG(D_tls) debug_printf("generating %d bit Diffie-Hellman key...\n",
     DH_BITS);
   ret = gnutls_dh_params_generate2(dh_params, DH_BITS);
@@ -362,9 +341,7 @@ if (ret < 0)
    * certtool or other programs.
    *
    * The commands for certtool are:
-   * $ certtool --generate-privkey --bits 512 >params
-   * $ echo "" >>params
-   * $ certtool --generate-dh-params --bits 1024 >> params
+   * $ certtool --generate-dh-params --bits 1024 > params
    */
 
   m.size = PARAM_SIZE;
@@ -372,16 +349,6 @@ if (ret < 0)
   if (m.data == NULL)
     return tls_error(US"memory allocation failed", host, 0);
 
-  ret = gnutls_rsa_params_export_pkcs1(rsa_params, GNUTLS_X509_FMT_PEM,
-    m.data, &m.size);
-  if (ret < 0) return tls_error(US"RSA params export", host, ret);
-
-  /* Do not write the null termination byte. */
-
-  m.size = Ustrlen(m.data);
-  if (write(fd, m.data, m.size) != m.size || write(fd, "\n", 1) != 1)
-    return tls_error(US"TLS cache write failed", host, 0);
-
   m.size = PARAM_SIZE;
   ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, m.data,
     &m.size);
@@ -398,11 +365,10 @@ if (ret < 0)
     return tls_error(string_sprintf("failed to rename %s as %s: %s",
       tempfilename, filename, strerror(errno)), host, 0);
 
-  DEBUG(D_tls) debug_printf("wrote RSA and D-H parameters to file %s\n",
-    filename);
+  DEBUG(D_tls) debug_printf("wrote D-H parameters to file %s\n", filename);
   }
 
-DEBUG(D_tls) debug_printf("initialized RSA and D-H parameters\n");
+DEBUG(D_tls) debug_printf("initialized D-H parameters\n");
 return OK;
 }
 
@@ -540,7 +506,6 @@ if (cas != NULL)
 /* Associate the parameters with the x509 credentials structure. */
 
 gnutls_certificate_set_dh_params(x509_cred, dh_params);
-gnutls_certificate_set_rsa_export_params(x509_cred, rsa_params);
 
 DEBUG(D_tls) debug_printf("initialized certificate stuff\n");
 return OK;

diff --git a/test/scripts/2000-GnuTLS/2000 b/test/scripts/2000-GnuTLS/2000
index 60afb52b49c56be5d5f04e7e132c350c1b3b0223..c8dcb6a8484379fb61d4cc73b83b736c6dfff66a 100644 (file)
--- a/test/scripts/2000-GnuTLS/2000
+++ b/test/scripts/2000-GnuTLS/2000
@@ -3,8 +3,7 @@
 # For this first GnuTLS test, we do not obey "gnutls", so that Exim has to
 # create the GnuTLS paramter data for itself.
 #
-echo ==> Creating GnuTLS parameter data ... may take some time ... 
-echo ==> Moving the mouse about may help ...
+echo ==> Creating GnuTLS parameter data ...
 exim -DSERVER=server -bd -oX PORT_D
 ****
 exim CALLER@test.ex